Building a Sample Add-on for OWASP ZAP
Hi!
The Zed Attack Proxy which is commonly known as ZAP is an excellent proxy tool which can be used to check for vulnerabilities in web applications. It is a widely used free and opensource software tool. The project home can be found here.
Using zap is easy. All you have to do is download and run the zap.sh if you are on linux and zap.bat if you are on windows. However if you are a developer interested in extending zap it is great. A great thing about zap is that every function is built as an extension to zap.
Zap has a cool functionality which enables you to get a scan report in the form of .html or in .xml. formats. I was assigned with a task to create a plugin to zap to export the vulnerabilities identified by zap as issues to jira. I will post about how that add on is build from bottom up in the weeks to come.
For now to kick start things I will share with you how to get started. So here is the trick. First thing to keep in mind is if you have any question regarding zap fear not! zap developer group is a cool place where you can meet wonderful techies who are ready to help and resolve your questions. All you have to do is ask! :)
So to the fun part then. The zap project has been recently migrated in to GitHub like many of the other projects which were in google code. The project home for github is at : https://github.com/zaproxy You can find many of the things which are related to zap from here.
An important document which I used to get things moving is the Creating OWASP ZAP Extensions and Add-ons Version 1.0 which can be found here. It is a great resource you can use to build on. It’s a neat document even if it is a bit old and was a great resource for me.
But sadly for most of us developers things don’t “click” at the first go. So i will use the contents of this document to help you develop your first zap plugin. For the development you will need two projects.
Use git to clone the directory into a folder of your choosing and make sure both the projects are in the same folder. I have built the project and extension on both windows and linux , but i’m going to use linux to explain this since it’s simple.
I cloned both the projects into a folder called workspace in my Deskktop.
Then you have to build the zapproxy project. Instructions on how to build zap on different IDE’s can be found here. I used Intelij Idea to build the project. When building if the IDE complains about missing dependencies you will have to manually download them and add to the build path. Unfortunately since zap is using ant there is no easy way of doing this, but at the time of writing there is a discussion going on to mavenize the project which will make life easier for the devs.
Next task is to openup zap-extensions project. an example is available at https://github.com/zaproxy/zap-extensions/tree/alpha/src/org/zaproxy/zap/extension which is in the alpha branch of zap-extensions project.
There you will be able to find the following sample files .
The files/example contains a text file which is used in the add-on to read and display a message.
The resources folder contains the files which are needed to add language support for the add-on you are creating. let’s keep them aside for the moment.
The next two files are two java src files which contains the code of the add-on we are trying to build. The ExtensionSimpleExampe.java will add a menu item to the tools menu item to zap.
I’m going to build that extension. The ZapAddOn.xml contains the details about the addon we are building and cn be modified as according to the plugin you are developing in the future. For now I will keep them unchanged.
I will highlight two important parts of the code which i think is useful for the developer who is doing this for the first time. (in the ExtensionSimpleExampe.java)
This is the part of the code where your extension get’s “hooked” into zap. The zap can be run in 4 different ways.
/**
* ZAP can be run in 4 different ways:
* cmdline: an inline process that exits when it completes the tasks specified by the parameters
* daemon: a single process with no Swing UI, typically run as a background process
* desktop: a Swing based desktop tool (which is how is originated, as a fork of Paros Proxy)
* zaas: a highly scalable distributed system with a web based UI, aka ‘ZAP as a Service’ (this is ‘work in progress’)
*/
The above is extracted from the ZAP.java which is the contains the main method declaration of zap. So the menu item will be displayed in the desktop mode where the GUI is working.
This part of code important since this is the part of the code where you will use to invoke the actions of your add-on. Right now all it will do is display a message dialog with some pre-defined text.
So now to the building. To build this extension you need to configure the build.xml file according to your project.
The build file we are going to use is at zap-extensions/build/build.xml . There are two changes that has to be done to build this add-on.
First we have to configure the zap-plugin directory. This will be the location where zapproxy will look for extensions when building. The following image shows the line corresponding that in the source.
You have to change the directory location as necessary. In my case since both the projects are under the directory workspace i have used “../../zaproxy/src/plugin” as the plugin directory location.
Next you have to include the new addon you are building in the build.xml. That can be done as follows.
Here note a comment that is in the ExtensionSimpleExample.java.
*
* An example ZAP extension which adds a top level menu item.
*
* This class is defines the extension.
*/
As the comment says the class name defines the extension. We use the package name simpleExample as the addon name.
Next we can create a new ant task to build the project. The build.xml should be added as the ant task to be built and once added it will look as follows.
In the ant tasks you can see a task called build all. Run this ant task to build the extension .
All the extensions will be built in to a folder called zap-exts which is placed under zap-extensions/build.
Once built the extensions will look like this. Next we can deploy the plugin in to zap. I use the zapproxy project which i built earlier for this purpose. (note the main file to run zap iat zaproxy/src/org/zaproxy/zap/ZAP.java )
When you run the zap proxy it will trigger a dev build. I use the File->Load Add-on file to import the addon to ZAP. The addon will be a .zap file with the name simpleExample-release-1. Once imported the there should be a new menu item appearing at the tools menu as follows.
When clicked there should be a message box appearing if the addon has been built properly.
So that’s how you build your first add on for OWASP ZAP. Hope you find this post useful . If there are any questions please feel free to post them below. Cheers!
Like this:
Like Loading…
Related
Originally published at neatrick.wordpress.com on November 12, 2015.
